Slashdot Mirror
Contactless Credit Cards
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
I like the convenience idea of it. The magnetic strip in my credit cards are usually destroyed/useless before the card even expires. Between rubbing against other credit cards, contact with the leather, and/or body sweat highly used cards are usually replaced before they ?expire?.
Where?s the security? I often wonder why the heck credit card purchases don?t require a PIN at the very least. Yeah, we?re all high tech and thumb prints and/or eye scans would be cool, but I?m all for having to know and enter a PIN on each and every purchase.
I tend to go for EFT payment whenever possible as I do have to enter a PIN. Shoulder surfing or a corrupt security camera guy is always a problem. I?m smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN too. I suppose insurance costs and ?shrink? just isn?t too expensive yet?
I?d be impressed if there was a thumb reader built into each plastic card I waived around buying all my shit.
Mobile gas anyone?
They won't know where to send the bill!
Let's see. A crowded line at an amusement park... I'm sure I could pick up 100 credit card numbers an hour with my wiz-bang pocket card reader. "Excuse me sir... I didn't mean to bump into you..."
... on how long it takes before someone cracks/hacks whatever security these things have and begins making megabucks by planting remote cardreaders in places like mall store entrances?
How long will it be? Say, to the nearest hour or so?
End of lesson. You may press the button.
The nice thing from a security standpoint is that the credit card companies have it in their own best interest to make sure people feel confident using these new technologies. While a single cardholder could be at risk to lose a few thousand dollars, these companies have billions riding on these transactions. When it comes to secure computing, this is one industry that actually keeps it on the front burner...
Stop by my site where I write about ERP systems & more
Shielded wallets/credit card holders. Someone call ThinkGeek.
http://www.paypass.com/ Currently beta testing in Florida...
This sounds an awful lot like SpeedPass, which is at least 5 years old. Any idea what the difference is?
Other than the magnetic strip not wearing out, what's the advantage? Unless its short-range enough that passers-by can't steal your money, you'll still have to present it to a reader (the article mentions 20cm) Or perhaps they mean it can't be swiped (as in stolen.) It could mean the end of shoplifting though, just use the security scanners to read the RF tags in what has been taken and then take the money straight off the card. (Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer?)
Don't go to a brothel if you want to buy broth
so THAT's why the Jedi Hand Wave works.
"These are not the droids you're looking for"
(handwave, subtle ka-ching! sound)
"These are not the droids I'm looking for.. move along..."
That's how I pay for gas at Mobil, with their Speedpass. It's a small keychain thing that looks like a black magot:
Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...
It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
tbdean
I've been using a contactless credit card for years. I type the number into an HTML form, and my card never comes within the same city as the merchant I'm purchasing something from. For that matter, it sometimes isn't in the same city as I am when I'm making the purchase -- for a couple months last year it was on a different continent.
In fact... let me see here... no, I still haven't gotten around to signing the back.
Tarsnap: Online backups for the truly paranoid
Read the article. Plenty of subtle reference to rights management and content control. Buy a DVD with this viper and have to wave it next to your DVD player to get it to play.
"Eve of Destruction", it's not just for old hippies anymore...
A hot chick rubbing your ass would be a sure sign something was wrong to any Slashdot reader.
You say you are smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN, yet you also claim to be buying shit?
Most, if not all, of the smart people I know never, ever 'buy' shit....they seem to find a way where people continously give them shit, sometimes for no apparent reason. Now I know some would argue that this may well be a gift, but I've watched this happen, over and over, and I'm here to tell you, it seems like it doesn't matter what they do or what they say, someone will eventually give them shit. Really! I am not kidding! It's true!!
If you are having to pay for shit, may I suggest a crash course in shit 'taking'...you can sign up for one online I believe..perhaps right here, if you ask nice.
Not to be a twit, but I heard about this sort of "keep it in your pocket" magnetic technology being deployed already. Around February of this year, one of my English students in Tokyo, who worked for Sony/Ericsson, told me his company's "secret" new cell phone in development would have this mag card tech built in. It would replace the "Suica Card" existing tech, which is just a card you mash against the reader while keeping it in your wallet. The phone was due to hit the shelves in 6 months, which would be this August. Only in Japan, of course, which means it should be out in America around August 2005.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The technology in general can be a great convience, I have used them before and it means you don't have to fish the card in and out of your wallet, but what happens when you have more then one of this type of card in your wallet (the reader will read them all properly, but which to use?) and theft is a real concern.
Unless the also use a pin-number system, there is really nothing they can to to prevent theft. If you have a 'shielded wallet' or you have to press a button, then it defeats much of the point, and you have to actually get the card out.
I'm worried that they will try a type of encryption, (info on card is encrypted, and the CC co has the key in a central data base). Now if they were to do a new encryption key for each card, then great, but I could see them using one key for all of them, then what happens if that key is leaked. Even if they do that, it keeps the CC number safe so it cant be used online or such (assumming that the RFID number is even related to the actual CC number, which it probalby wouldn't be) it still cant stop someone from making a new RFID card to retransmit the info.
Basicly it all boils down to that there is no real way for the CC company to protect the card if it is contactless. with 20cm (about 8in) you could easilly walk around a mall with a reader in your pocket picking up the ids of the cards.
It's not a new concept. We already practice it here at Slashdot - we don't even have to read the article, we just get near the story and start spouting off comments.
If you have 2 side by side, then there can be issues when trying to use them.
This is something that I have seen with proximity cards for two seperate systems. When the two are together then when system A tries to contact Card A, Card B is also activated and the system cannot make any sense out of what it has received. Therefore no access.
In this case you have to seperate the two cards, in order to read them.
There has been talk about contactless smartcards for the past 10 years.
It is very difficult to steal information from smart cards. I know of 1, maybe 2 ways to steal from smart cards that use contacts (one is to detect very small fluctuations in the voltage draw of the card as the crypto algorithms are doing their magic) and no ways to steal from contactless cards, given they are properly setup (and given Visa is backing it up, they probably are).
/.ers have complained about.
You can set files on the card (it has a tiny file system) such that they can only be written to. I have a Cryptoflex 8k card here that has my public and private keypair on it for PGP. The public key can be read off very easily but for the private key to be useful, the card will actually do the encryption for me. So I will insert my card into the reader, I will type what I want to encrypt in my email window and when I press send it will send all of the text over to the smart card where it is encrypted with my private key, which never leaves the card. Now ideally you would run your keyboard right into the smart card reader for sensitive operations (so the host operating system cannot be backdoored and the plain text version ever recovered).
The risks for these cards are very small. From what I can tell they'll probably be JavaCards (which basically will run a small java applet) that will only give up information about the card to verified readers (the card will store a certificate authority's public cert and verify the certificates of the readers) . This will stop the "stealing by walking behind someone with a reader" problem so many
Hope this helps (I've done a crapload of work with smartcards recently for a Purdue IEEE project)
You know, back when you could still afford to go out for dinner (DQ doesn't count), how the waitperson would bring the bill on a little plastic tray and lay it on the table....and you'd simply drop your c'card onto the bill...and then someone would take the tray and bill and c'card and....oh, wait, I get it...
Hello, I'm Dwayne, I'll be your card waver this evening.
So, if Visa is the first mover, do they essentially "own" the wallet because the lazy consumer wouldn't want to bother pulling out a different card?
And what happens if there are multiple cards that are contactless? Do I have to pick one out? What's the point of this, then?
My building uses contactless badges. Ironically, we have a badge for the building and another for the garage. I can't keep both cards in the wallet because they interfere with each other.
Finally, is Phillips proposing to make cars run off the card? Wow. Imagine starting your car just by sitting down...
These cards better have a small range (two feet max) or I don't see how you will manage to perserve the time-honored tradition of the grocery store line.
"Did you swipe your card?"
"Not yet."
"That's funny, because your total has already been paid!"
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
These kinds of cards do not usually have any kind of power source. They rely on a alternating current magnetic field that the reader gives off. This magnetic field energizes the coil that is built into the card. This coil supplies power to the circuitry on the card which causes the card to send its ID via some kind of rf signal. There are no "smarts in the card itself. The card just sends its ID and a computer behind the scenes uses that ID info to open the door or pay the bill.
For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.
That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.
Physical theft of the card would be a problem but that would not be anything new to get used to.
dzimmerm
Jumping to correct solutions slowly is better than jumping to incorrect solutions quickly.
I didn't RTFA, but here's an idea to counter some people's fear that a technology like this would necessarily allow you to steal card numbers as you walk through a crowd.
The card could use a challenge/response system with the merchant. Each card has a symmetric key pair - the public key is your account number used for billing. The private key is known only to the card, and is used to sign a challenge phrase from the merchant. Challenge phrases would be unique to each transaction (given out by the financial institution per transaction). This way, cards couldn't be cloned.
Karma: -2147483648 (Mostly affected by integer overflow)
When I visited Hong Kong in 2001, I bought a subway pass with this technology.
If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.
Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.
I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.
http://yetanotherpoliticalrant.blogspot.com
I can see Amazon patenting 0-click technology with this...
- Danny
Leave it to those narrow-minded visionaries at VISA and Royal Phillips to come up with an even more insecure method of deploying consumer credit card information... via RF (wireless) technology.
If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...
Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
Reading some of the comments here about the security of these cards, and it makes me worry somewhat.
I used to sysadmin for a shell account company, and we saw huge amounts of credit card fraud, mostly from kids looking to run bots on IRC, or just because they collected shell accounts.
One thing I came away with from that experience was the definite feeling that Credit card companies don't seem to think it is in their interest to stop credit card fraud.
After all, if the owner of a card is frauded, the bill goes on their card, and interest is accrued. If the owner of the card isn't diligent, its possible they might just automatically pay the card off, without even realise they have been a victim of card fraud.
Certainly, the credit card companies don't seem to go after the fraudsters as much as they should. One of my friends on Dalnet used to regularly give the full details of people that she had discovered doing carding. One kid was so blatant, he put up a web page, with pictures of him holding up all the crap he had bought with stolen card numbers.
He was 12, and his mother didn't care in the slightest he was stealing. And neither did the credit card companies. The police were interested though, but he didn't have much repercussions - just a couple of weeks in a counselling center for kids.
Anyway, I digress.
Proximity cards are a great ieda. It means I can just wave my wallet near the scanner to pay for an item.
But, if this is not couple with some new form of identification currently not in use with credit cards (a pin number would suffice, or something biometric such as a thumb-print), then I fear that fraud will just increase.
People will get a hold of the scanners, and set up their iPod to capture the card numbers of anyone in proximit to it, and just walk up behind people, snapping up numbers.
Maybe I'm just getting paranoid.
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
Wouldn't the PKI scheme be used? That is to say that the card and card-reader share some key. I suppose that this would be just another variation on chip-card technology (EMV, Proton etc).
The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
I kid. I don't have one and you can't "apply" for one either. Read more about it here and see it here.
(waves hand) "You will sell me these goods." :)
Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.
l in g_12c.htmlD /europe/02/18/biz .trav.smart.cards.ap/
0 1. html
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
Waves AmEx These aren't the droids you're looking for...
Obiwan was a bribe merchant!
They do make contactless micro-processor smart cards. Schlumberger makes one, two, three, different versions.
From their site:
High-speed contactless operations are completed in less than 100 milliseconds and at distances of up to 10 cm from the reader. Security between different applications is ensured by two 48-bit diversified keys and specific access conditions per sector. Security is further reinforced by replay attack protection and a three-pass handshake, which manages the mutual authentication between the card and the reader. In addition, the Easyflex FastOS 2.0 fast anticollision algorithm allows more than one card to be processed by the reader at the same time.
Easyflex FastOS 2.0 communicates on the 13.56 MHz carrier frequency in compliance with the current ISO 14443-Type A standard and implements the standard Mifare protocol, allowing it to be used with the vast majority of contactless card systems.
I've asked many people this but no one can give me a decent answer...
What kind of security check is it to write your signature after using your credit card?
I mean the signature is on the back of the card!
It's like having the password to your computer written on a piece of paper stuck to your monitor...
They should name these card after presidents Bush. You can run up a huge deficit without touching anything.
The idea that just waving a card in the proximity of a reader will make you poorer makes people uncomfortable. Poor feedback.
...um...
Our bus services recently switched to cards like that. People keep wondering, if the reader actually took the charge at all or charged them twice.
The fact that the card itself has no display to show its balance and the reader a mere 20 character display increases the discomfort.
If these cards aren't surrounded by proper interfaces, they will not get popular.
Argh, I forgot the "Didn't cost anything: I paid with my Visa" effect that guides people into personal bankruptcy. They seem very comfortable with that. So forget I said anything.
I think that's how SpeedPass works. It's really a faster way to buy things, but seems incredibly unsafe. If someone swipes that thing, you're done!
stuff |
I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.
Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .
Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)
Shred receipts you don't need and keep secure those you do.
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
If you are going to purchase online via credit card, never allow the website to store the data "for your convenience" because then it is in their database. The site should have to ask for your cc# for each and every transaction. If they don't have the option not to store your card info, don't shop there and let them know why.
Consider getting a single, low limit card that you use exclusively for online purchases, particularly one that advertises online purchase protection.
Check you statement monthly or more often (if online statements are available.)
Grab your mail
This is a federal offense, but anyway. Don't forget your mail carrier at Christmas, Kwanza, Hanukah, whatever.
Look in your recycling box
Shred, shred, shred.
Look at your card over your shoulder
Be aware of your surroundings.
Hidden cameras, crooked cashiers/waiters etc
see: "Check your statement monthly" above.
Set up a fake online store selling a few products very cheaply.
Set up a cheap porn site. (ala the Eros Island scam)
Discover USENET pr0n, which is free. You don't mean you actually *pay* for pr0n do you?
I think they better first check out the so-called "Smarter Card" from Cypak a Swedish firm that has a card with embedded CPU and RF, and a keypad built onto the card which requires the user to enter a PIN to validate use of the card. Seems to me that Cypak already has most of the relevant technology.
Pro: My card won't wear out before it expires 6 years from now
Con: Now I can have my number stolen without comming into physical contact with the theif .
--This could be a pro if you consider it could make getting robbed a whole lot safer
See the Pictures of the Flood of '08
'cuse me sir, you just bought this purple-metallic minivan with golden rims ... where would you like us to ship it?
So, someone gets a dummy card that looks real and holds that in their hand. but the stolen card is up your sleeve, and activates the electronics. Visual verification by the cashier? sure! Of course the signature looks right, you wrote it! But it seems like it might be a halfway decent technology if they can figure out how to avoid abuse like that. ah well, just my 857,345,246.4 rubles.
If you can read this, you are most likely close enough.
Looks to me like just a speedier way to suck money out of your bank account and charge you for the service to boot!
I don't know about everyone else but I go running scared when I see things like (paraphrased) "...standard method of allowing consumers to purchase content in their home..."
I can see it now.... "please wave your contactless credit card to watch this channel"....
42 - So long and thanks for all the fish.
I read a few articles on "stealing" proximity card data. It's aparently not very hard..
One proximity card that I use requires almost physical contact to the reader, which is appropriate for a doorway.. But another card I use (same building, same card type) to open the garage gate reads the card within about a foot of the reader. I roll my car slowly by, casually holding the card out, and it reads with no contact.
With the appropriate equipment, you can read data from just about anyone's card at a distance. How close do you have to be? People get kinda close in elevators, or you can just be polite, and be holding an outside door for them while they walk by your briefcase/laptop bag/purse. For that matter, I guess your reader could be in the brown paper bag that appears to hold your lunch.
H2K2 had a lecture on it. Here's the lecture description. in July of 2002
"Proximity Cards: How Secure Are They?
Sunday, 6 pm
Area "B"
They're used everywhere but they could be making you even more vulnerable to privacy invasion. Delchi has been working with proximity based card systems for two years and has developed a method of casually extracting data from proximity cards in a public environment. Riding in an elevator, subway, or just walking down the hall, a person can bump into you, say "excuse me," and walk away with the decoded information from the proximity card in your pocket. It could then be possible to build a device that can capture and replay these snippets of information on demand or to even brute force a proximity card system. This talk will focus on the vulnerabilities of the systems and show a low power working prototype. Alternatives will be discussed, as well as other vulnerable aspects of proximity based building and computer access systems."
I've read some design information on it also, but can't seem to find the links right now. I don't know what the options are for protection of proximity cards.. Keep them in a foil pouch?
Serious? Seriousness is well above my pay grade.
So then I walked through the mall with my card scanner on and picked up about 15 valid numbers from people I passed.
Wanna go shopping?